Ethereum Go Ethereum vulnerabilities

CVE-2026-26314 [HIGH] CWE-20 CVE-2026-26314: go-ethereum (geth) is a golang execution layer implementation of the Ethereum protocol. Prior to ver go-ethereum (geth) is a golang execution layer implementation of the Ethereum protocol. Prior to version 1.16.9, a vulnerable node can be forced to shutdown/crash using a specially crafted message. The problem is resolved in the v1.16.9 and v1.17.0 releases of Geth.

CVE-2026-26315 [MEDIUM] CWE-203 CVE-2026-26315: go-ethereum (Geth) is a golang execution layer implementation of the Ethereum protocol. Prior to ver go-ethereum (Geth) is a golang execution layer implementation of the Ethereum protocol. Prior to version 1.16.9, through a flaw in the ECIES cryptography implementation, an attacker may be able to extract bits of the p2p node key. The issue is resolved in the v1.16.9 and v1.17.0 releases of Geth. Geth maintainers recommend rotating the node key afte

CVE-2026-26313 [MEDIUM] CWE-770 CVE-2026-26313: go-ethereum (geth) is a golang execution layer implementation of the Ethereum protocol. Prior to ver go-ethereum (geth) is a golang execution layer implementation of the Ethereum protocol. Prior to version 1.17.0, an attacker can cause high memory usage by sending a specially-crafted p2p message. The issue is resolved in the v1.17.0 release.

CVE-2026-22862 [HIGH] CWE-20 CVE-2026-22862: go-ethereum (geth) is a golang execution layer implementation of the Ethereum protocol. A vulnerable go-ethereum (geth) is a golang execution layer implementation of the Ethereum protocol. A vulnerable node can be forced to shutdown/crash using a specially crafted message. This vulnerability is fixed in 1.16.8.

CVE-2026-22868 [HIGH] CWE-20 CVE-2026-22868: go-ethereum (geth) is a golang execution layer implementation of the Ethereum protocol. A vulnerable go-ethereum (geth) is a golang execution layer implementation of the Ethereum protocol. A vulnerable node can be forced to shutdown/crash using a specially crafted message. This vulnerability is fixed in 1.16.8.

CVE-2023-42319 [HIGH] CVE-2023-42319: Geth (aka go-ethereum) through 1.13.4, when --http --graphql is used, allows remote attackers to cau Geth (aka go-ethereum) through 1.13.4, when --http --graphql is used, allows remote attackers to cause a denial of service (memory consumption and daemon hang) via a crafted GraphQL query. NOTE: the vendor's position is that the "graphql endpoint [is not] designed to withstand attacks by hostile clients, nor handle huge amounts of clients/traffic.

CVE-2023-40591 [HIGH] CWE-400 CVE-2023-40591: go-ethereum (geth) is a golang execution layer implementation of the Ethereum protocol. A vulnerable go-ethereum (geth) is a golang execution layer implementation of the Ethereum protocol. A vulnerable node, can be made to consume unbounded amounts of memory when handling specially crafted p2p messages sent from an attacker node. The fix is included in geth version `1.12.1-stable`, i.e, `1.12.2-unstable` and onwards. Users are advised to upgrade. The

CVE-2022-37450 [MEDIUM] CVE-2022-37450: Go Ethereum (aka geth) through 1.10.21 allows attackers to increase rewards by mining blocks in cert Go Ethereum (aka geth) through 1.10.21 allows attackers to increase rewards by mining blocks in certain situations, and using a manipulation of time-difference values to achieve replacement of main-chain blocks, aka Riskless Uncle Making (RUM), as exploited in the wild in 2020 through 2022.

CVE-2022-29177 [MEDIUM] CWE-400 CVE-2022-29177: Go Ethereum is the official Golang implementation of the Ethereum protocol. Prior to version 1.10.17 Go Ethereum is the official Golang implementation of the Ethereum protocol. Prior to version 1.10.17, a vulnerable node, if configured to use high verbosity logging, can be made to crash when handling specially crafted p2p messages sent from an attacker node. Version 1.10.17 contains a patch that addresses the problem. As a workaround, setting logle

CVE-2021-42219 [HIGH] CVE-2021-42219: Go-Ethereum v1.10.9 was discovered to contain an issue which allows attackers to cause a denial of s Go-Ethereum v1.10.9 was discovered to contain an issue which allows attackers to cause a denial of service (DoS) via sending an excessive amount of messages to a node. This is caused by missing memory in the component /ethash/algorithm.go.

CVE-2022-23327 [HIGH] CVE-2022-23327: A design flaw in Go-Ethereum 1.10.12 and older versions allows an attacker node to send 5120 future A design flaw in Go-Ethereum 1.10.12 and older versions allows an attacker node to send 5120 future transactions with a high gas price in one message, which can purge all of pending transactions in a victim node's memory pool, causing a denial of service (DoS).

CVE-2021-43668 [MEDIUM] CWE-476 CVE-2021-43668: Go-Ethereum 1.10.9 nodes crash (denial of service) after receiving a serial of messages and cannot b Go-Ethereum 1.10.9 nodes crash (denial of service) after receiving a serial of messages and cannot be recovered. They will crash with "runtime error: invalid memory address or nil pointer dereference" and arise a SEGV signal.

CVE-2021-41173 [MEDIUM] CWE-20 CVE-2021-41173: Go Ethereum is the official Golang implementation of the Ethereum protocol. Prior to version 1.10.9, Go Ethereum is the official Golang implementation of the Ethereum protocol. Prior to version 1.10.9, a vulnerable node is susceptible to crash when processing a maliciously crafted message from a peer. Version v1.10.9 contains patches to the vulnerability. There are no known workarounds aside from upgrading.

CVE-2021-39137 [HIGH] CWE-436 CVE-2021-39137: go-ethereum is the official Go implementation of the Ethereum protocol. In affected versions a conse go-ethereum is the official Go implementation of the Ethereum protocol. In affected versions a consensus-vulnerability in go-ethereum (Geth) could cause a chain split, where vulnerable versions refuse to accept the canonical chain. Further details about the vulnerability will be disclosed at a later date. A patch is included in the upcoming `v1.10.8`

CVE-2020-26264 [MEDIUM] CWE-400 CVE-2020-26264: Go Ethereum, or "Geth", is the official Golang implementation of the Ethereum protocol. In Geth befo Go Ethereum, or "Geth", is the official Golang implementation of the Ethereum protocol. In Geth before version 1.9.25 a denial-of-service vulnerability can make a LES server crash via malicious GetProofsV2 request from a connected LES client. This vulnerability only concerns users explicitly enabling les server; disabling les prevents the exploit. T

CVE-2020-26265 [MEDIUM] CWE-682 CVE-2020-26265: Go Ethereum, or "Geth", is the official Golang implementation of the Ethereum protocol. In Geth from Go Ethereum, or "Geth", is the official Golang implementation of the Ethereum protocol. In Geth from version 1.9.4 and before version 1.9.20 a consensus-vulnerability could cause a chain split, where vulnerable versions refuse to accept the canonical chain. The fix was included in the Paragade release version 1.9.20. No individual workaround patches

CVE-2020-26240 [HIGH] CWE-682 CVE-2020-26240: Go Ethereum, or "Geth", is the official Golang implementation of the Ethereum protocol. An ethash mi Go Ethereum, or "Geth", is the official Golang implementation of the Ethereum protocol. An ethash mining DAG generation flaw in Geth before version 1.9.24 could cause miners to erroneously calculate PoW in an upcoming epoch (estimated early January, 2021). This happened on the ETC chain on 2020-11-06. This issue is relevant only for miners, non-mining

CVE-2020-26242 [HIGH] CVE-2020-26242: Go Ethereum, or "Geth", is the official Golang implementation of the Ethereum protocol. In Geth befo Go Ethereum, or "Geth", is the official Golang implementation of the Ethereum protocol. In Geth before version 1.9.18, there is a Denial-of-service (crash) during block processing. This is fixed in 1.9.18.

CVE-2020-26241 [HIGH] CWE-682 CVE-2020-26241: Go Ethereum, or "Geth", is the official Golang implementation of the Ethereum protocol. This is a Co Go Ethereum, or "Geth", is the official Golang implementation of the Ethereum protocol. This is a Consensus vulnerability in Geth before version 1.9.17 which can be used to cause a chain-split where vulnerable nodes reject the canonical chain. Geth's pre-compiled dataCopy (at 0x00...04) contract did a shallow copy on invocation. An attacker could depl

CVE-2018-20421 [HIGH] CWE-770 CVE-2018-20421: Go Ethereum (aka geth) 1.8.19 allows attackers to cause a denial of service (memory consumption) by Go Ethereum (aka geth) 1.8.19 allows attackers to cause a denial of service (memory consumption) by rewriting the length of a dynamic array in memory, and then writing data to a single memory location with a large index number, as demonstrated by use of "assembly { mstore }" followed by a "c[0xC800000] = 0xFF" assignment.